Pages

Thursday, June 30, 2011

Earlier today the folks that take care of the CFATS Knowledge Center web site updated one of the frequently asked questions listed on that site. It was a minor change to the response to FAQ # 1445 that was last updated in May, 2009. The change corrected a typo, substituting ‘DHS’ for ‘SHA’. This type of attention to detail reflects positively on the folks that take care of this valuable web site.

A similar attention to detail resulted in the link to the SSP Questions Manual found in the ‘Documents’ section of the CFATS Knowledge Center taking a surfer to the new manual even though there is no mention of the new manual in the ‘News’ section of that page. The updated link is attention to detail while the lack of a mention or explanation about the release of the new manual is either a questionable editorial decision or a communications oversight on the part of management.

I’m hearing interesting rumors that ISCD is sending out un-solicited re-tiering letters to about 400 some odd CFATS facilities. According to one source legal letters say “DHS discovered significant errors with their Tiering models, resulting in nearly 400 facilities being over ranked. Facilities are now being notified if their Tier has changed.”

Yesterday DHS updated the web page for the CSAT Site Security Plan. They provided a link to a new CSAT SSP Questions manual. I’ve briefly checked the new manual and there is no management of change notice in the front of the manual (SHAME) that describes what has changed. It is listed as Version 2.0 so this should be a major re-write of the manual. I’ll check it out and let you know what I find.

The Obama cybersecurity plan would establish extensive regulations for the security of cyber systems at selected critical infrastructure entities. As I have noted on several occasions in this blog trying to regulate anything without some sort of inspection and compliance verification mechanism is a waste of time. The Administration’s plan addresses this in §6 of their critical infrastructure plan.

Private Sector Evaluators

The proposal avoids the problem of the government having to hire and maintain an expensive cybersecurity inspection workforce by establishing a private sector inspection program. Similar in many ways to the way TSA regulates the inspection process for freight going on to passenger aircraft, the proposal would establish a two-tier system of accreditors and evaluators. The accreditors would be contracted by DHS to “conduct such activities as the Secretary determines to be necessary to effectively carry out accreditations of evaluators and oversee the evaluation process” {§6(b)(2)}.

This is appropriately vague for a legislative proposal and the details would have to be worked out during the process of developing the supporting regulations. Some of the details need to be worked out, however, in the legislative process. For example, it seems obvious to me, but it is never mentioned in the proposal that it will be the covered entities that somehow pay for the evaluation process. What is less clear is how the administration plans on paying for the accreditation process.

“Moreover, it is acknowledged on all sides that we face a critical shortage of qualified cyber security personnel, and so the army of evaluators created under this proposal will almost by definition not be adequately trained.”

The situation will be even worse for industrial control systems evaluations. There is nothing in the President’s proposal that addresses the differences between IT and ICS cyber systems. This is especially critical establishing an evaluation force. Even a well trained and experienced IT security expert will have difficulties evaluating a security plan and its implementation for control systems. A less well trained evaluator trying to apply a generic set of cyber security standards to a control system will cause more problems than most cyber attacks.

Nobody knows how large an evaluation force will be needed to enforce these proposals. The reason is that no one knows how many entities will covered by the critical infrastructure cybersecurity program. From a control system perspective it could be just a relatively small number of pipeline systems and electrical transmission systems if a restrictive view of the “dependent upon information infrastructure to operate” requirement of §3(b)(1)(B) is used to designate covered entities. If Mr. Clinton’s fear of a more expansive definition is realized the ICS inspection force could be quite large.

Conflicts of Interest

One of the easiest ways to expand the size of the potential evaluator work force is to utilize existing security contractors. This, of course, sets up the potential for some interesting conflicts of interest. A contractor that advises a facility on establishing a security program could find itself evaluating that same program. While one would expect that regulations should address this, many would expect this to be specifically addressed in any legislation mandating such a private sector inspection force.

Personnel Surety

The Internet Security Alliance testimony raises another interesting concern about this inspection force. Again on page 10 of the testimony Mr. Clinton says:

“The single largest vulnerability of our cyber systems comes not from hackers using technology to break into systems, but from “insiders” with approved access to the systems. This proposal creates a virtual army of insiders crawling through our most critical infrastructure’s security systems on an annual basis.”

The failure of the President’s proposal to address the personnel surety issue is completely unacceptable. This is especially true since historically much of the cyber workforce is foreign trained. From the experience that DHS has had with the personnel surety issue in the TWIC program, the Hazmat Endorsement for CDLs and the CFATS program certainly demonstrates that this controversial area needs to be addressed in the legislative proposal.

For control systems inspectors there is an additional area about personnel surety that will have to be addressed. Depending on how expansive the coverage of critical infrastructure actually is, there will be a number of CFATS covered facilities included in the program. The CFATS program has some very specific personnel surety requirements that are currently being rolled out. That program exempts the DHS inspection force (as well as first responders and law enforcement personnel) from the requirement for facilities to complete background checks before allowing these personnel to have unaccompanied access to facilities. Since the cybersecurity evaluators are not DHS employees this exemption will not apply to them.

Actually, I guess that IT evaluators for entities that own or operate CFATS covered facilities will probably have to undergo the same background check process if the IT systems are included in the facilities list of critical or restricted systems. Will evaluators dealing with MTSA covered facilities need to have TWICs? Probably. Water facilities, don’t worry about it, EPA has no personnel surety concerns. Railroads? The FRA don’t care.

Yes, we can clearly see why the cyber security proposal for critical infrastructure needs to specifically address the personnel surety issue.

Wednesday, June 29, 2011

Joe Weiss has an interesting commentary about the blog post I recently did for Dale Peterson over at Digital Bond's SCADA Security blog. He is concerned (and Joe and I have talked about this) about the fact that the Internet Security Alliance (ISA, the other ISA) has no ICS security members and I recommended that my readers read their President’s testimony. He closes by saying: “Larry did not understand the unique issues associated with ICSs. This is another case of why it is important for the ICS community to speak for itself.”

My Response

I posted the following response on the Unfettered Blog site; last I saw it was awaiting moderation so it may not be up yet.

“Actually Joe, the post you quoted was one that I posted on Digital Bond's SCADA Security blog. While Larry Clinton may not know squat about ICS security (and to be fair his comments were not about ICS security) he made some very interesting points about what types of ‘entities’ would be covered by the President’s proposed legislation. I certainly don’t agree with all of his points as readers of my blog are aware (see Monday’s post), but the points that he does make need to be discussed before they get incorporated in legislative language that ends up making ICS security even more difficult.

“I certainly agree that the ICS community needs to speak for itself in this matter (and I hope my blog posts on this topic are helping to generate that discussion) but we do need to know what others are saying about cyber security issues that will certainly directly effect what we do or have done to us.”

Expanded Discussion

The issue is important enough that I think it deserves more than just the response I provided on the Control Global site.

First everyone needs to understand the President’s proposals (and the critical infrastructure proposal, pages 31-37 of 52 pages, is just one of a series outlined by the Administration in a single document) do not directly address industrial control system security. They do provide for the establishment of regulations that would address cybersecurity requirements for critical infrastructure. ICS security would be a small but important sub-set of the cybersecurity that could be addressed in those regulations.

The very important issue that Mr. Clinton addressed was how DHS would determine what private sector entities would be regulated and which would not. This is an important part of the proposal; systems are not regulated, ‘entities’ are. So if a regulated entity has industrial control systems, their cybersecurity plan would have to address security issues associated with their ICS. Likewise, no matter how ‘critical’ a control system was or how vulnerable it was, if it is not owned by a regulated entity then DHS would have no say in the security of that system.

So this is yet another issue where the ICS community, the IT community and the corporate security community are all going to have to get together to adequate address. If we have to listen to an IT type explain the overall issue, so be it. Where their issues are different, we need to speak up. But we should still listen.

This morning after a very brief mark-up hearing the Senate Homeland Security and Governmental Affairs Committee passed S 473, the Continuing Chemical Facilities Antiterrorism Security Act of 2011 in a bipartisan vote of 8-2 (with additional uncounted proxy votes of 5-2). This bill would extend the current CFATS authorization for three years and add voluntary programs for training and exercises as well as have DHS establish a source for ‘best practices’ information for potential voluntary IST implementation.

Sen. Collins (R, ME), the Ranking Member of the Committee and author of the bill, introduced a technical amendment to the proposed bill that would update the ‘current’ ending date of the CFATS program from October 4, 2010 to October 4, 2011. This amendment was passed on a voice vote without dissent.

There was a brief discussion about the added costs of the programs added in this bill. Those costs were estimated by the Congressional Budget Office to be $30 Million per year. Chairman Lieberman and Rep. Collins agreed to work together to come up with offsets to allow for the necessary increased spending authorization.

There was some opposition to the lack of IST provisions and not ending the water facility exemptions, both from Senators Lieberman and Akaka (D, HI). In the end Lieberman voted for the bill and Akaka against it. Lieberman expressed his belief that those issues would be addressed when the bill got to the floor of the Senate.

There was the brief mention of a new idea for the CFATS program that came up in the discussion of the increased costs. One Senator (and I didn’t catch his name and the video did not show name tags) suggested that the program could be changed to have the covered facilities pay a regulatory fee to cover some of the costs of the program. No formal proposal was made.

As I mentioned in yesterday’s blog on S 1253 I expected to find additional information on military cyber security matters in the Senate Armed Services Committee report on S 1253 (Sen Rept 112-26) and I wasn’t disappointed when I reviewed the 343 page document. I only found one new item (a discussion of USB security devices) but there are some interesting additional details about the subjects that I discussed in yesterday’s blog.

Previous Topics

For those readers who are specifically interested in any one of the particular topics that I covered yesterday here is a list of the topics and respective pages for the additional coverage (Note when using Adobe Reader® you have to add ‘22’ to the page number to get to the appropriate page, the Committee Report does not start arabic page numbering until after the table contents, a confusing, out-dated practice).

• GPS Interference – Pg 161

• Detecting Cyber Attacks – Pg 165-9

• WIKI Leaks Prevention – Pg 169

• Cyberspace Experts – Pg 184

The lengthy discussion on detecting cyber attacks based upon previously unidentified vulnerabilities is well worth the read. Of particular interest is the sanitized discussion of the capabilities of NSA to detect attacks based upon zero-day exploits (pgs 165-6). It would seem to me that a complimentary technique would be for NSA and other appropriate agencies (CERT and ICS-CERT for example) to conduct programs to actively look for vulnerabilities in critical software packages or systems.

USB Device Security

The Committee recommends a $3.0 million increase in the budget authorization for the Department’s Information Systems Security Program. This would be used to fund an, as of yet to be determined, additional number of File Sanitization Tools (FiST; don’t you love DOD acronyms?). These devices were developed by NSA ‘to check and cleanse the content of thumb drives’. These devices were initially developed when “military networks, including classified networks, were infected with a propagating virus that was initially introduced via USB flash drive or ‘thumb drive’ removable media devices” (pg 81) several years ago.

Interestingly it took the predecessor to the Cyber Command 16 months to require the use of such devices after NSA developed them within months of receiving the tasking. DOD initially determined that they would need 700 such devices, but to date (apparently two years after their development) only 57 have actually been purchased and deployed.

The Report notes that other mitigation efforts (including limiting the computers that can accept/use a USB memory device) have been put into place, but the Committee expresses some concern that this relatively inexpensive device (well relatively inexpensive for really sensitive computers) isn’t more widely used. DOD is in the process of determining how many additional units are actually needed, so the $3 million is based upon the Committee’s best guess of the cost.

I immediately suspected that the Office of Management and Budget (OMB) had finally gotten around to approving the Notice of Proposed Rule Making for the same program. That would have made this link effectively out-of-date. Double checking the OIRA web site I found no announcement; of course they don’t post today’s announcements until tomorrow so I’m not absolutely sure that the NPRM hasn’t been approved. Besides, the web site people wouldn’t normally get the word that quickly.

BTW: I’m still hoping that the removal of the ANPRM note reflects the imminent release of the NPRM. Rest assured I’ll be watching and reporting.

Page Tools Removed

Another minor change was the removal of the ‘Page Tools’ section that provided links for printing the page, requesting email updates and subscribing to an RSS feed. The first is easy enough to do from one’s browser page. The second is already covered by a banner link near the top of the page. I don’t know why the RSS feed tool was removed, but the link still works; so if you’re interested here it is http://www.dhs.gov/xutil/feeds.shtm.

No NTAS Link

Also missing from the page is any link to or notice about the National Terrorism Advisory System (NTAS). The earlier version of this page included a link to the old color coded system, but it may have been removed when the NTAS went into effect last month. I might not have noticed that.

Dead Link to Reporting Information

There is still a link on the page to the CFATS Tip Line. The link is supposed to go to FAQ #1620, but because of the way that the links for FAQs are now handled it just goes to the CFATS Knowledge Center page. One would have to enter “CFATS Tip Line” in the search box and then be faced with a list of 80 FAQs that are offered as a response to that search (FAQ #1620 is the first on the list today). The same information is available on the Report Incidents page. That is really where this link should take someone.

I have been waiting to see something on the Surface Transportation Board’s web site about the hearing that was to have been held last week in the matter of Canexus v BNSF. Readers will recall a number of posts here about the complaint that Canexus filed asking the STB to compel BNSF to provide a tariff rate for transport of chlorine from an interline point near their North Vancouver chlorine production facility to another interline point in Kansas City, MO. Today I found the reason that there was no hearing information; Canexus reversed their earlier decision and accepted the Boards offer of mediation to resolve the issue.

While it certainly makes sense for Canexus, BNSF and UP to reach a consensus settlement of the issues in this case, it will do little to resolve the central issues raised by the various parties to the dispute. Actually, it probably is not within the authority of the STB to resolve all of these issues. Ultimately it will be up to Congress to address the inherent conflicts between TIH shippers, railroads and the security and safety regulations addressing those shipments.

To review, some of those issues include:

● The right of captive shippers to get reasonably priced TIH transportation services to all of their customers;

● The need for railroads to be compensated for the costs of transporting TIH shipments, including protection against the potential liability costs associated with an accidental or deliberate catastrophic release of the contents of a TIH railcar;

● Determining which railroad is responsible for selecting the safest, most secure route for TIH shipments when multiple railroads must be involved in the shipment; and

Last week Sen. Levin (D, MI) introduced S 1253, the National Defense Authorization Act for Fiscal Year 2012. It provides authority for appropriations for fiscal year 2012 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths. The bill contains a number of cyber security provisions.

GPS Interference

The Senate Armed Services Committee has concerns about the same GPS interference issue that I have discussed on a number of occasions. Sec 913 of this bill addresses this issue by requiring DOD to conduct an ongoing review to “determine if commercial communications services are causing or will cause widespread or harmful interference with national security Global Positioning System receivers” {§913(b)(2)}. If and when DOD determines that interference is or may be occurring, then DOD is required to ‘promptly’ submit a report to Congress on the situation.

Detecting Cyber Attacks

Section 931 of the bill addresses the problem of detecting new forms of cyber attacks; for example new worms and viruses for which there are no anti-virus signatures available to allow AV software to detect the attack. Specifically, the Committee is looking for DOD to obtain the capability to “enable well-trained analysts to discover the sophisticated attacks conducted by nation-state adversaries that are categorized as ‘advanced persistent threats’” {§931(b)(1)(a)}.

The legislation envisions DOD seeking this capability to be acquired from commercial sources if possible. Specifically it requires that:

“In making decisions on the procurement of such capabilities from among competing commercial and Government providers, the Secretary shall take into consideration the needs of other departments and agencies of the Federal Government, State and local governments, and critical infrastructure owned and operated by the private sector for unclassified, affordable, and sustainable commercial solutions.” {§931(b)(2)}

WIKI Leaks Prevention

Section 932 requires the Secretary of Defense to support an expanded information sharing program while providing for “the adoption and improvement of technical and procedural capabilities to detect and prevent personnel without authorization from acquiring and exporting information from classified networks” {§932(a)}. This would help to prevent the occurrence of future ‘WIKI Leaks’.

The Committee envisions a wide range of activities to be included in this effort {§932(b)} including:

• Disabling ‘removable media ports of computers’;

• Requiring system administrator approval of downloads on computers where such ports are necessary;

• Electronic monitoring and reporting of downloading to removable media;

• Public-key identity authentication to control information access;

• Electronic auditing and reporting of user activity;

• Using ‘data-loss prevention’ and ‘data-rights management’ to prevent unauthorized data export; and

• Integrating all of the above to “enable efficient management and operations, and effective protection of information, without impairing the work of analysts and users of networks” {§932(b)(7)}.

Cyberspace Experts

No authorization bill would be complete without any number of mandated studies. Section 1076 of this bill requires the conduct of a manpower study that will look at the “availability of military and civilian personnel for Department of Defense defensive and offensive cyberspace operations, identifying any gaps in meeting personnel needs, and recommending available mechanisms to fill such gaps, including permanent and temporary positions” {§1076(a)}.

In addition to the requisite look at ‘various recruiting, training, and affiliation mechanisms’ that may be used to address the manpower situation, probably the most valuable part of the study will be the requirement to look at “the availability of personnel with expertise in matters related to cyberspace operations from outside of the Department of Defense” {§1076(b)(2)(B)}. Properly done, this could provide a good snapshot of the current status of cybersecurity personnel.

Control Systems Not Addressed

As one would expect, there is nothing in this bill that specifically addresses industrial control system security. On the other hand, all of the areas addressed above could have significant impacts down the road on ICS security activities.

As is usual with major legislation like this, we might expect to see additional policy areas and reporting requirements in the Committee Report that accompanies this legislation. I’ll look at that document in a separate blog posting.

Monday, June 27, 2011

Earlier today I had a post appear on Digital Bond's SCADA Security blog discussing the testimony of Mr. Larry Clinton, President, Internet Security Alliance (ISA; as Dale noted not The ISA of cyber standards renown), before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee last week in a hearing about the President’s cybersecurity proposal.

In that post I looked at two of the problems that concerned Mr. Clinton about that proposal; the expansive definition of ‘covered critical infrastructure’ and the lack of qualified people to enforce the annual review requirements. I would like to take a closer look at the first issue here.

Expansive Definition of Critical Infrastructure

In reviewing the standards that the President’s legislative proposal provides for determining which critical infrastructure entities would have to comply with the new cybersecurity standards Mr. Clinton notes that “a careful reading of the legislative language indicates that it provides essentially unfettered authority to DHS to mandate technical standards for almost any aspect of the private sector” (pg 8). While there is more than a hint of political paranoia in that statement, the underlying concern rests clearly on the vague terms and lack of definitions included in the President’s proposal.

Clinton’s testimony looks at the two criteria that a facility must meet before the Secretary can label is ‘covered critical infrastructure’. These two criteria are found in §3(b)(1) on page 32 of the proposal. They are:

● The incapacity or the disruption of the reliable operation of the entity, a system or asset it operates, or a service it provides would have a debilitating impact on national security, national economic security, national public health or safety; and

● The entity, a system or asset it operates, or a service it provides is dependent upon information infrastructure to operate, or is a part of information infrastructure and critical to its operation.

Mr. Clinton focuses on the word ‘debilitating’; quite correctly noting that it is undefined in this context. He goes on to give the example of the recent cyber security breach at Sony; an attack that he notes “reportedly will cost more than a billion dollars in damage” (page 9) and makes the point that that would certainly be ‘debilitating’.

What he fails to understand is that this wording comes almost directly from the current definition of ‘critical infrastructure’ found in 42 USC 5195c(e). The Secretary has already been given considerable regulatory authority over critical infrastructure and few observers would point to the Department as being overly expansive in the reach of their regulations. In fact, I have complained on a number of occasions about their failure to write regulations that they are required to promulgate.

In the second section of the requirements he targets the term ‘information infrastructure’ and claims that “virtually all modern systems that are reliant on some form of information infrastructure to operate” (page 8). That term is not defined in this rule, a glaring oversight in view of its central nature to the regulatory scheme. We can, however, go to 44 USC 3502(8) for a definition of ‘information systems’ to find a better term for what Clinton describes.

An information system is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. Again this is not referenced in this proposal (and it should be), but if we use this definition to describe networks within a facility for the management of information or process control, then we would use the term ‘information infrastructure’ to describe the inter-facility communications media that allows for transmission of that information or coordination of process control at multiple facilities.

Mandating Technical Standards

Mr. Clinton’s concern about the authority given to the Secretary to establish technical standards would be a legitimate concern, if in fact there were such authority provided in this proposal. What this proposal does do in Section 4 it to require the Secretary to identify one or more ‘standardized frameworks’ for appropriately addressing each of a variety of cybersecurity risks.

Again, this terminology is not defined in the proposal or even particularly well described. What is made painfully clear (to those of us who work with the CFATS regulations) that what ever these ‘frameworks’ are, they are not standards. Section 4(b)(5) clearly states that:

“Frameworks shall not require the use of a particular measure, but shall leave the choice of particular measures to an entity to which the framework applies.”

After watching the regulatory development process that accompanied the publication of the Risk Based Performance Standards for the CFATS program, I can assure anyone that industry will jealously guard against any suggestion that a particular measure is even becoming close to being a requirement in this type of regulatory scheme.

While this gives the maximum amount of flexibility to an entity that has an effective cyber security staff, it also has its downside. For entities that do not have the requisite level of expertise in house, this effectively removes the technical resources of DHS as a source for recommendations on how to adequately secure a cyber asset.

Other Issues Remain

While I don’t agree with Mr. Clinton’s assessment of these two areas of the President’s proposal there are other areas that I am in agreement with his testimony. I will address these in future blog posts.

The House session ended early Friday afternoon and there was no debate on HR 2219, the Department of Defense Appropriations Act, 2012 before the House adjourned for a very long weekend. They will resume consideration when they return from their July 4th ‘weekend’. There were, however, more proposed amendments to that bill published in Friday's Congressional Record for that bill. One of those amendments had potential homeland security implications, but nothing to do with cyber security.

I don’t think that this amendment will actually come to a vote on the floor, even if it is actually proposed by Mr. Clarke. House Resolution 320, the rule for the consideration of HR 2219, prohibits {§2(a)(1)} the transfer of funds to or from the funds designated as being for the global war on terrorism pursuant to section 301 of H. Con. Res. 34 (112th Congress). The Afghanistan Security Forces Fund is clearly identified GWOT funding and the State Homeland Security Grant program is not.

If it is introduced, Mr. Clarke would get his five minute speech then someone from the leadership would ‘raise a point of order’ against the amendment and the House would move on to the next amendment.

As I noted earlier, the House will take up HR 2219 when they return from their extended 4th of July weekend. There is a possibility that there might be more amendments published to HR 2219 during the two pro-forma sessions that will be held this week. I’ll be watching.

The folks over at Maritime Transportation Security News have an interesting post about some of the results from the recently completed (but yet to be reported) TWIC Reader pilot study conducted by TSA. The information in the post is based upon presentations at the recent American Association of Port Authorities (AAPA) Port Operations, Safety and Technology Seminar.

Read that entire post for details, but the results did not seem promising for the expanded use of the Transportation Workers Identification Credential (TWIC) as something more than just another picture ID. Problems ranging from card delamination to training issues were noted.

The biggest problem from a security systems perspective appears to be the amount of time that it takes to process a person through the Reader. The post makes the following observation from the presentation of Jill Taylor, Deputy Director of Homeland Security, Port of Los Angeles:

“When operating in the biometric mode, all evidently significantly exceed the maximum times the National Maritime Security Advisory Committee (NMSAC) initially thought would be acceptable to industry. Even when not comparing biometrics, most still have transaction times exceeding NMSAC’s standard.”

While none of these problems directly effects the potential use of the TWIC for background check purposes, it does call the basic program into question. The whole idea for the TWIC was that the identification would be difficult to counterfeit because of the provisions for a readily verifiable biometric component in the identification process. Without an effective TWIC reader component, the cost of the program may be hard to justify to a cost conscious Congress.

We can expect to see some interesting hearings later this summer when TSA officially publishes their report on the TWIC Reader pilot.

Sunday, June 26, 2011

The House this week only has two pro-forma sessions scheduled (Tuesday and Friday) so we only have the Senate to watch this week. Even that won’t be tough since there is only one hearing currently scheduled this week in the Senate that will be of interest to the chemical security community. The Senate Homeland Security and Governmental Affairs Committee will be marking up S 473, the Continuing Chemical Facilities Antiterrorism Security Act of 2011.

On Wednesday, as one of five items on a Business Meeting Agenda, the Committee will consider the third CFATS extension bill to be approved by a Congressional Committee this session. As with HR 901 and HR 908 respectively in the House, I expect that this bill will pass with substantial bipartisan support. As they did last session, the Committee will agree to disagree on IST, whistleblower protections, etc and vote in support of Sen. Collin’s bill; with a number of Democrats vowing to raise those issues in the Senate floor debate (if and when) on the bill. There may be amendments offered in the mark-up, but probably nothing of substance.

This leaves two CFATS bills yet to be acted upon during this session; HR 916, Rep. Dent’s (R, PA) companion bill to S 473; and S 709, Sen. Lautenberg’s (D, NJ) bill that would substantially change the CFATS program. The first will not be considered in committee (either the Homeland Security or Energy and Commerce Committees to which it was assigned). Sen. Lautenberg’s bill will not be heard in Sen. Collins’ (er… Sen. Lieberman’s) Homeland Security Committee. So the only horses running in this race are HR 901, HR 908 and S 473. One of the two House bills will get scrubbed next month when the House leadership decides which will come to the floor for consideration.

The Senate will not take up Sen. Collins’ bill until the House passes its CFATS legislation. Then the language in S 473 will be substituted for the House language before the floor debate begins. Things will get complicated from there. I doubt that any CFATS bill will actually get to conference this year.

Saturday, June 25, 2011

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new control system advisories and updated a current advisory. The update concerns the InduSoft buffer overflow advisory issued last week. The two new advisories affect the AzeoTech DAQFactory and Rockwell’s FactoryTalk systems.

InduSoft ISSymbol

The updated advisory mainly provides gramitical corrections to the advisory with little real added value. The only minor exception to that are the two nearly identical corrections in the exploit areas of the advisory. The revision notes that an exploiter would need to craft a web page for the user to access while the ActiveX component was installed on their target system. Most technically savvy readers would have read that between the lines of the original advisory.

“The DAQFactory networking feature allows multiple machines running DAQFactory to interact with each other. This interaction includes sending a signal from one device to initiate a reboot or shut down of another device. Because these signals are not encrypted or otherwise protected, a successful attacker could trigger a DAQFactory system reboot or shutdown.”

In a system that is remotely accessible, this could allow an attacker with basic skills to craft an exploit that could cause system elements to shutdown or re-boot.

An upgrade is available that mitigates the vulnerability. For older systems, disabling the networking feature (if not needed) will also solve the problem as will isolating networked systems.

Rockwell Automation FactoryTalk

The Rockwell Automation advisory deals with a memory corruption vulnerability in the FactoryTalk Diagnostics Viewer that could result in a moderately skilled attacker being able to execute arbitrary code on the system. An exploit of this vulnerability would require a social engineering attack to get a user to run a corrupted configuration file.

Upgrading to a newer version of the Diagnostics Viewer should successfully mitigate this vulnerability, but Rockwell Automation notes that this is not available as a stand alone upgrade. It requires an upgrade of the entire FactoryTalk Services Platform. Even then Rockwell recommends that “customers review the Rockwell Automation Software Product Compatibility Matrix to ensure they understand the dependencies and compatibilities that may arise as a result of upgrading this product.”

Interesting Coincidence

It is interesting that earlier this week Dale Peterson at DigitalBond complained that most of the recent ICS vulnerabilities were on systems that were little used in the United States. He explained that the relatively large number of these off-shore (my term not his) vulnerabilities distorted the ICS security picture. This distortion might make it appear that the more common ICS packages used here were much less vulnerable.

Both of the new advisories published Friday affect systems that are relatively common in the United States. I’m not sure if they affect much in the way of ‘critical infrastructure’ or chemical manufacturing facilities, but they do remind the community that ICS systems here in this country are vulnerable.

Friday, June 24, 2011

Yesterday two subcommittees of the House Homeland Security Committee held the initial hearing on the WMD Prevention and Preparedness Act of 2011 that will apparently be introduced today by Rep King (R, NY) and Rep. Pascrell (D, NJ). According to Pascrell’s testimony today, the bill will be (as I predicted) an updated version of last sessions HR 5057.

No new information here. Congress is still ‘very concerned’ about the possibility of al Qaeda developing and deploying bio-weapons. While I probably agree that biotechnology is developing at a pace that will inevitably allow easier development of bio-weapons, I doubt that the caves of Afghanistan, or even the ‘luxury’ complexes of Pakistan, are the areas that I would expect to see such development to take place. Actually, I would like to see al Qaeda undertake such development efforts in those locations; they would be the first and final victims of their research. Bug development is an inherently dangerous business requiring extensive physical infrastructure to protect the developers.

I wish that Congress would address the much more likely WMD attack potential, the security of very dangerous chemicals running up and down the roads and railways of this country. Some security measures might be nice and maybe some emergency response planning.

I got an interesting email yesterday from Scott Jensen, Director of Issues Communication at the American Chemistry Council. He was kind enough to forward a copy of the written testimony that the ACC was submitting for today’s hearing before the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee.

While typically made part of the ‘public record’, such unsolicited written testimony is seldom placed on the hearing web site. Perhaps the Homeland Security Committee can establish a new level of public information sharing by including such written testimony on their hearing web site.

Today’s hearing is another in a series of hearings on the Administration’s comprehensive cyber security proposal that I wrote about in an earlier blog. As I noted in a weekly notice on congressional hearings, this hearing today is much more likely to address the control systems security issues of probable interest to my readers and obviously the ACC.

Covered Facilities

I noted in my blog about the legislative proposal that I didn’t think that the description of covered critical infrastructure found in §3 of the proposed Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act would generally effect chemical facilities because they wouldn’t normally fall under the dependency on ‘information infrastructure’ requirements of §3(b)(1)(A).

The ACC testimony seems to indicate that their review of the proposal takes a more expansive view of potentially covered critical infrastructure. Their testimony doesn’t specifically outline what they expect to be covered, but their analysis of the CFATS cyber security requirements would seem to indicate that they believe that CFATS covered facilities would be covered under this legislation.

The confusion about what types of facilities would be covered by this cyber security proposal isn’t limited to me and the ACC. In the hearing earlier this week before the Subcommittee on Crime and Terrorism of the Senate Judiciary Committee none of the witnesses could provide a clear definition of what facilities would be covered under the broad definition of ‘critical infrastructure’. The conclusion was that this would be best developed during the development of regulations implementing the law if the bill is passed. In other words, the Administration wants Congress to provide the DHS Secretary with the widest possible latitude.

It would be interesting to see if today’s hearing is able to get a clearer definition of what facilities might be covered.

Information Sharing

Information sharing between covered facilities and regulators will be a key to the effectiveness of any cyber security regulation scheme. The ACC testimony addresses one of the information sharing issues that I identified in my earlier blog. They note that one of the keys to a successful cybersecurity program is the creation of “a public/private partnership to effectively share information that is timely, specific and actionable and is properly protected from public disclosure”. They specifically recommend that “information voluntarily provided by the private sector should be adequately protected from public disclosure including Freedom of Information Act requests”.

There are currently a number of different information protection schemes that the government has established to protect such information from public disclosure. One of the most restrictive (read ‘protective’) is the Chemical-Terrorism Vulnerability Information (CVI) program for the CFATS program. This is because this program requires the most expansive sharing of information, a level comparable to what it appears that this plan will require.

The level of information protection needs to be clearly spelled out in any cyber security legislation adopted by Congress.

Moving Forward

Today’s hearing is just another stop on the Administration’s road show supporting their cyber security proposal. At some point in the not too distant future someone is going to have to turn the proposal into actual legislation. Then things will start to get real interesting. We can expect at least two separate bills, one for each house of Congress, probably authored by committee chair. It will be interesting to see if Congressional leaders in the two Houses can field companion bills. Actually, it will be even more interesting to see if the competing committee chairs can come up with a single bill for each body.

Thursday, June 23, 2011

Yesterday the House Rules Committee met to consider the rule for the management of the floor debate on HR 2219, the Department of Defense Appropriations Act, 2012. As expected, the rule, H Res 320, provides for the same type of open rule as seen this year in other appropriations bills. During the paragraph by paragraph reading of the bill, any member may propose an amendment to that paragraph under a 5 minute rule.

This afternoon the House approved H Res 320 by a vote of 251 to 173. The first hour of general debate on the bill was held this evening just before the House concluded their regular legislative day. The reading of the bill and the associated amendment process will probably start tomorrow.

I have checked the amendments printed in yesterday’s Congressional Record (pgs H4460 thru 61) and could not find any that related to cyber security matters. More amendments will be printed in today’s Record (available early tomorrow morning) and more will continue to be filed while the debate continues. Of course, the amendments don’t have to be published in the Record prior to their being proposed, but most are.

In any case, I’ll be watching the results and will report on any cyber security related amendments considered by the House.

Yesterday the Senate Homeland Security and Governmental Affairs Committee held a hearing looking at the “Next Steps for Securing Rail and Transit”. Like last week’s hearing before the Senate Commerce Science and Transportation Senators questioned the disparity between TSA funding for air and rail security operations. Once again, there was little mention of or consideration for freight rail security operations.

The written testimony from TSA Administrator Pistole for this hearing (not surprisingly, identical to last week’s written testimony) does not mention freight rail security or TSA’s much delayed regulations for railroad security training. Similarly the prepared testimony from Commissioner Boynton from Connecticut’s Department of Emergency Management and Homeland Security failed completely to discuss either of these two issues.

The testimony from Dr. Flynn, President of the Center for National Policy, also focused on passenger rail security to the exclusion of freight rail issues. He did, however, take TSA to task for their failure to complete the security training regulations mandated by Congress. He notes that “most local jurisdictions have been hesitant to pursue their own [training] effort until direction arrives from Washington” (page 6). No one wants to spend money on developing a training program only to find out that it doesn’t meet the requirements of later federal regulations.

Oh well, I suppose we need to accept that the limited number casualties resulting from an attack on passenger rail like those seen in Madrid and London far outweighs the potential threat of the result of an attack on a single chlorine or anhydrous ammonia rail car.

BTW: I did finally get around to listening to the web cast of last week’s rail security hearing. Beyond listening to Administrator Pistole whine about how hard it is to write regulations and getting them through the Administration’s internal review process, there was nothing of interest to the chemical security community in the hearing.

Oh yes, Administrator Pistole wants an abbreviated regulatory process for homeland security regulations. I’m not sure what he wants shortened since TSA hasn’t even published an advance notice of proposed rule making yet. Perhaps he needs to send his administrative people over to talk to NPPD who published the CFATS regulations (much more complicated than training regulations) well within the congressionally mandated time limit.

Wednesday, June 22, 2011

Today the House Homeland Security Committee held a markup of HR 901, the Chemical Facility Anti-Terrorism Security Authorization Act of 2011. The final version of the bill was adopted by a resoundingly bipartisan vote of 26 to 5. A total of 15 amendments were considered by the Committee, including the two amendments in the form of substitutes that I discussed in earlier blogs (6-18-11, and 6-20-11). Five {including Rep. Lungren (R, CA)} were adopted by the Committee.

Adopted Amendments

The Lungren substitute language only changed the authorization level for the funding for the CFATS program {§2107}, reducing it to the current budget program level outlined by the House. All of the remaining adopted amendments modified the language of this amendment.

ISCD Processing Time Limits

Rep. Sanchez (D, CA) proposed amendment 1B that would establish a time limit of 180 days for DHS to approve or disapprove a submitted security vulnerability assessment (SVA) or site security plan (SSP). This is response to the current slow pace of inspecting facilities and approving SSPs. Unfortunately, this does not take into account the reasons for the problems that ISCD is having getting the necessary data for the approval process; reasons that Congress has never questioned.

This language would inevitably result in a large number of facilities being formally notified that their SSP submission was disapproved rather than DHS working with the facility to get the required information put into a revised SSP submission. A formal disapproval may have unintended consequences for a facility such as increased liability insurance rates. It will certainly not speed up the approval process.

Security Background Checks

Rep. Jackson-Lee (D, TX) proposed amendment 1D that would add language concerning security background checks. The amendment would require the Secretary to establish regulations for the use of a TWIC, or other mandated security checks as an alternate method of performing the necessary personnel surety checks. This process is already being implemented by ISCD, though maybe not in the manner intended by Rep. Jackson-Lee.

This amendment fails to distinguish between the provisions in the current regulations for a background check to be accomplished by the individual facility and the submission of information to allow DHS to check for appearance in the Terrorist Screening Data Base (TSDB).

Jobs Impact

Rep. Davis (D, IL) proposed amendment 1H that would have mandated annual reports by the Secretary to Congress on the effect that the CFATS program had on job creation and elimination. The report would estimate the number of jobs created or eliminated because of implementing security programs under CFATS. It would also require the Secretary to provide feedback from owner/operators on how the program could be changed to have a more positive jobs impact.

The current economic situation certainly served as the impetus for the submission of this amendment. The recorded vote of 28-2 also shows that there was a personal reason for supporting this amendment in many of the Committee members. The demand for a voice vote on such lopsided votes indicates that the members wanted to be able to point to this vote in their future re-election campaigns as an example of their efforts to protect jobs.

If this provision remains in a CFATS authorization bill that makes it to the President’s desk, I foresee ISCD creating another tool in CSAT to allow for the easy collection and collating of this information for the annual report. It will be a relatively small addition to the CSAT burden imposed by the current CFATS program.

Small Business Assistance

Rep. Hochul (D, NY; the newest member of the Committee) proposed amendment 1I which would require the Secretary to provide technical assistance in the preparation and submission of SVAs and SSPs by covered facilities that meet the legal definition of being a ‘small business’. Presumably this is being done to help those facilities avoid the cost of hiring consultants to perform this function.

This provision will put the Department in a difficult legal position. This bill continues the current prohibition of the Secretary mandating any particular security measure as a pre-requisite for obtaining approval of an SSP. If a DHS inspector/assistor was to tell a facility to install a particular security device, then that would be de facto (and probably de jure) a violation of that prohibition.

Furthermore, the ISCD inspection force would be severely taxed by this requirement. It would take much more time for an inspection team to ‘assist’ a facility in the preparation and submission of SVAs and SSPs than it currently takes to approve an SSP. And, the SSP approval process would still require a pro-forma inspection of those facilities that received DHS assistance.

It would have made a lot more sense to include a small business grant program or tax credit to allow these small business covered facilities to hire the necessary contractors. It would have also provided more jobs for contractors.

The 29 to 1 recorded vote on this amendment again provides a good clue as to the real nature of this amendment. It is little more than a re-election publicity vote that will have unintended adverse consequences on the CFATS program.

Amendment Summary

None of these amendments to Rep. Lungren’s bill were even slightly controversial and will have little practical effect either on the CFATS program or the potential for this bill to be considered by the Senate.

The fact that these amendments and the final bill received so many Democratic votes is certainly noteworthy. In the confrontational 112th Congress this bipartisanship is something to be recognized and encouraged.

Crafting a Senate Actionable Bill

I noted in a blog last week nine items that if addressed in House CFATS legislation would help to ensure that the Senate would actually consider and likely pass the bill. These nine items are issues of importance to the environmental and labor activists that still exert substantial influence in the Senate. These items are:

• Inherently safer technology (IST)

• Employee participation

• Personnel-surety redress procedures

• Training/drills

• Whistleblower protections

• Emergency response planning

• Water/waste-water facility coverage

• MTSA facility coverage

• Public disclosure of CFATS status

I firmly believe that a carefully crafted compromise language can be found that would allow substantial support from centrists in both parties and minimize active opposition from the more extreme wings of either party.

Some of these items were addressed in amendments that were considered by the Committee today. Unfortunately, none of them met the ‘carefully crafted compromise language’ standard necessary to get bipartisan support.

Additional Facility Coverage

Ranking Member Thompson came closest to meeting the challenge in his amendment 1A that would have extended CFATS coverage to NRC, MTSA and water treatment facilities. It provided that the authority to ‘maintain and enforce’ these regulation in those facilities would be given to the NRC, Coast Guard and EPA respectively. The sticking point for most opponents to such coverage is the failure to address language that allows for extensive fines and potentially closing the facility for failure to comply with the regulations. If those sanctions had been specifically with drawn for the water treatment and power generation facilities, this might have had a better chance of passing.

Whistleblower Protections

Rep. Richardson (D, CA) proposed amendment 1C that addressed whistleblower protections. It was almost a direct copy of the same provisions found in HR 2868 from last session. There was little vocal opposition to this in the last session, but the business community has always had reservations on any restrictions on their personnel actions. Actively involving the business community in writing the terms of this might have made a difference in the final vote.

Redress Procedures

Rep. Clarke (D, MI) proposed amendment 1J that mandated the establishment of a redress procedure for actions taken under the security background check requirements. It includes establishment of standards for crimes and findings that would automatically bar someone from having unaccompanied access to restricted and/or critical areas within covered facilities. It would also require the establishment of an appeals process for questioning the legitimacy of the background check findings.

The problem that industry has always had with this language (again essentially taken from HR 2868) is that it makes no provision for a company having tighter standards for allowable ‘criminal’ conduct. Addressing this issue would make this provision easier to support for many people.

Leadership Decision

The House Leadership will now have to decide which CFATS authorization bill moves to the floor of the House. There may be one more hurdle for HR 901 to clear before this decision is made. The bill was originally referred to both the Homeland Security Committee and the Energy and Commerce Committee. Technically, the Energy and Commerce reporting on HR 908 does not count their review of HR 901. The Speaker could simply order HR 901 discharged from the Energy and Commerce Committee if it was decided to move forward with HR 901.

Moving Forward

Again, it is clear that either of these bills would satisfy industry desire to have a longer term on the current CFATS rules to provide a known regulatory environment in which they are spending lots of money for security upgrades. Additionally, there are certainly enough moderate Democrats that could support either bill when it came to the floor of the House to allow for a claim of bipartisan passage in the House.

It does not appear, however, that either bill, in their current form, would avoid the ire of powerful interests in the Senate that are influenced by labor and environmental activists. These people are senior enough and numerous enough to ensure that neither bill ever makes it to the floor for possible consideration.

The House has two more chances to make appropriate changes to which ever of these bills that is selected to move forward. There will be a Rules Committee hearing where limited amendments may be considered. And then there will be the floor debate where amendments may be authorized.

Today the Transportation Security Administration published in the Federal Register (76 FR 36560) the 30-day notice of their intent to renew the current information collection request (ICR, 1652-0027) allowing them to collect biographical and biometric information necessary to process applications for the Hazardous Material Endorsement (HME) for the Commercial Driver’s License issued by the States and the District of Columbia.

As I noted in my earlier blog on the publication of the 60-day notice back in August of last year TSA is making some minor changes to the information that they are collecting under this ICR. The additional information is being requested during the application process to reduce the information requests that have to be made during the adjudication process.

Not mentioned in either notice is the fact that TSA is reducing by about a third the number of annual submissions that it is expecting to receive under this ICR; from 407,000 listed in the 2008 ICR submission to 300,000 listed in today’s notice. While the number of submissions decreases significantly, the annual burden hours more than doubles from 411,800 hours to 978,000 hours. The ‘minor additions’ of information to be included in the application will, apparently, change the time it takes to complete an application from about 1 hour to almost 3.3 hour. I would hate to see what constitutes a significant or major increase in information to be collected.

Public comments on this ICR are being solicited. Comments should be sent to the Office of Information and Regulatory Affairs at OMB by July 22, 2011. Comments may be sent by email (oira_submission@omb.eop.gov) and should be addressed to the Desk Officer, Department of Homeland Security/TSA.

Tuesday, June 21, 2011

Today the House Homeland Security web site for tomorrow’s HR 901 markup hearing added a substitute amendment that the Committee will consider during their review of HR 901. This substitute will be offered by Rep. Thompson (D, MS) as an alternative to the amendment offered by Rep. Lungren (R, CA) that I discussed in my earlier blog.

This 95 page substitute is essentially Title I of HR 2868 as passed by the House during the 111th Congress. It is the ‘wish list’ for a comprehensive chemical security bill as viewed by environmental and labor activists. As I mentioned in the earlier blog, the support of some portion of these political elements will be required to pass chemical facility security legislation in the Senate.

Unfortunately, this proposal, as written, has no chance of being passed in the House or the Senate. The supporters of these proposals were stronger in the Senate in the last session and were unable to bring the House passed bill to the floor for debate, much less a vote. The Republican vote against this proposal in the Committee markup session will undoubtedly be unanimous and there is a good possibility that there well be some Democrats that vote against it as well.

The disturbing thing to me is that I know that Ranking Member Thompson is fully capable of counting the votes against this proposal. He knows that it has no chance of passing. With this in mind I can only conclude that one of two things has happened, either Thompson has decided that he wants no chemical security legislation to pass this session or he has decided that Chairman King is incapable of seeing that the current version of HR 901 (and HR 908) has no chance of being considered by the Senate, much less passing in that body.

In either case, the all-or-nothing stance that seems to be indicated by this alternative makes one conclude that another session of Congress is going to pass without any effective attempt to pass a real chemical security bill. Well, the chemical companies can continue to live with the uncertainty of the current year-to-year authorization process and the country can continue to hope that no terrorist organization recognizes and exploits the shortcomings of the current chemical security program.

Last week the Surface Transportation Board set a time for this Thursday for oral arguments in the dispute between Canexus and BNSF about the rail transportation of chlorine gas from a Canexus facility in North Vancouver, BC to Kansas City, MO.

In their decision on oral arguments the STB made provisions to cancel those proceedings if the three parties to the dispute (Canexus, BNSF, and UP) agreed to Board supervised mediation in the dispute as requested by BNSF. In a filing submitted to the Board yesterday, Canexus declined to participate in such mediation, noting that this was not, in their opinion, a dispute about interline locations, but a failure of BNSF to provide requested delivery services.

It will be interesting to see if UP uses their 20 minutes to pursue their recommendations to the Board that the STB use this case as a basis to begin establishing a comprehensive policy for the transportation of TIH chemicals. One of the more controversial components of the policy that UP suggests should be included would be distance threshold for TIH shipments. UP suggests that any request for a TIH rail shipment of more than 1000 miles would have to be submitted to the STB to justify that the shipment “is in the public interest and cannot be avoided through a less risky or less expensive alternative” (page 7 of UP reply to STB’s initial order).

The DHS National Protection and Programs Directorate (NPPD) published a notice in today’s Federal Register (76 FR 36137-36138) that the National Infrastructure Advisory Council would be meeting on July 12th, 2011 in Washington, DC. While this is a public meeting, participation in the Council’s deliberations will be limited to Council members, appropriate Federal officials and specifically invited persons.

Information Sharing Study

The main focus of this meeting will be an update on the on-going information sharing study. As I noted in an earlier blog the working group focusing on this topic had earlier decided to do case studies in five different critical sectors, including the chemical sector. Three of the other four sectors (Commercial Facilities, Healthcare, and Oil & Natural Gas) would also include CFATS covered facilities.

It will be interesting to see if the information sharing discussion at this meeting will include mention of the establishment of a chemical facility fusion center that I suggested in my earlier submission to the NIAC.

Public Comments

While public participation in the deliberations will not be allowed, NIAC will set aside 30 minutes at the end of the meeting to hear the public’s input on information sharing. Speakers are limited to 3 minutes and must register at least 15 minutes in advance. Speakers will be heard in the order of registration.

Written comments may also be submitted in advance for consideration by council members. Such comments should be received by July 5th and may be submitted via the Federal eRulemaking Portal (http://www.regulations.gov/, Docket # DHS-2011-0034).

Monday, June 20, 2011

Today the GPO had the report of the House Appropriations Committee on HR 2219 available on-line. I was correct in the supposition in my earlier blog on this bill that the report would contain references to military cyber defense/security operations. The requirements include reports to Congress and changes in the way that the cybersecurity budget is included in the overall DOD Budget.

Report to Congress

As we have come to expect from these Committee reports, the Committee directs the Commander of the Cyber Command to prepare a detailed report on the planned scope of operations of that command. Some of the items that the Committee is requiring to be addressed in the report (pages 207-8) include:

● The goals of the cyber initiative, including cyberspace operations;

● Computer network operations;

● Information assurance;

● The full spectrum cyber operations for the Department of Defense and the Services;

● The organizational structure and responsibilities for each of the participants; and

● The various programs and initiatives in the Department of Defense and the Services that are supporting the cyber goals outlined.

There is nothing that specifies that this report should be unclassified with classified annexes as appropriate. I think we should assume that DOD will ensure that the report is classified. This will help to insure that the distribution is even more limited than most reports to Congress.

Interestingly, there is no mention of how DOD and DHS will work together in overseeing the general cybersecurity of the country. Nor is there any specific mention of control systems issues.

Accounting Change

The Report recommends a change to the way that cybersecurity operations are listed in the DOD budget. They recommend that DOD elevates cyber security operations to “a virtual Major Force Program (MFP) to better coordinate and track the budgets related to cyber activities” (page 208). This would make cyber security/defense spending a readily distinguishable part of the budget process.

Information Sharing

The Committee also expressed their concerns about the Department’s ability to share cyber threat information with the portion of the private sector supporting DOD activities, the Defense Industrial Base. The Committee is concerned that the Department’s reliance on classified threat information makes this information impossible to share with large segments of the supplier base due to the dearth of security clearances available to many of these commercial organizations.

To resolve this issue, the Committee directs the preparation of yet another report to Congress. This report would address “the collaboration and sharing of sensitive but unclassified [SBU] threat information across the entire Defense Industrial Base, including any plans to leverage commercially available services that meet federally mandated security requirements” (pg 208).

Unfortunately, the Committee failed to address the underlying issue that most threat information is still contained in classified documents that cannot be shared through this means. The report should have also addressed the question of requiring the production of SBU versions of all cyber threat intelligence reports.

House Rules Committee Hearing

On a slightly separate note, the House Rules Committee web site today announced that the hearing on HR 2219 will be held on Wednesday evening. That would allow for the House to begin considering this appropriations bill as early as Thursday. I’m sure that we will see another open rule with wide spread floor amendments. Lots of amendments means long hours this week if the House leadership intends for this to be completed this week.

With the news from the intelligence folks looking at the Bin Laden raid information that al Qaeda was looking at possible attacks on rail assets in the United States there has been an increase in security awareness at most railroads. This increased awareness may have been responsible for the detection of an apparent attempted attack on a freight rail line in Iowa a little over a week ago.

The Incident

An article at KGOAM810.com reports that a rail switch outside of Menlo, IA was tampered with; leaving a 2” gap in the switch that could have resulted in a freight rail train derailment. The tampered-with switch was covered to make the attack harder to detect.

According to the article, the FBI did not feel that the attack was terror related. While that is good news in one respect, it also points out that security measures are not needed just to protect against an al Qaeda attack. A variety of people and groups may have a reason to attack railroads or use rail derailments to attack facilities or communities near rail tracks.

Chemical Facilities as Targets

With a very large number of high-risk chemical facilities located along rail lines, security managers at these facilities need to consider that relatively simple attacks like this could be used as a method of breaching the perimeter security of a high-risk facility. A large-scale derailment with the release of flammable, explosive or toxic chemicals could be an effective weapon against such a facility.

Even without a catastrophic release, (and most rail lines near high-risk facilities are not high-speed lines, reducing the potential risk from a derailment) a derailment brings about a great deal of confusion as a wide variety of responders from multiple agencies show up in the areas to deal with the emergency situation. This confusion could be utilized to make it easier to breach a security perimeter

Where it is obvious that emergency personnel responding to a train derailment would need to gain access through a high-risk facility, facility managers will need to address such access in their security plans. While police, fire and EMT responders should not be problem, a rail derailment also involves railroad personnel and a variety of contractors used to mitigate hazards and clean-up the mess.

Advance Coordination

Facility security managers are typically going to have to coordinate with the local freight railroad companies about access issues for trains making deliveries to and shipments from the facility. That would also be a good time to establish a close working relationship with the security and emergency response folks at the railroad. That relationship would greatly ease the problem of the timely vetting response personnel needing facility access.

Sunday, June 19, 2011

On Friday the Office of Management and Budget announced that it had received the information collection request (ICR) from DHS S&T allowing the establishment of the

CyberForensics Electronic Technology Clearinghouse (CyberFETCH). Readers may remember that this program would allow cyber security forensics experts to participate in a secure forum for exchanging forensics information.
The 30-day ICR notice was published back in April. There were no public comments filed in response to that notice so there is no obvious reason for the delay in submitting this ICR to OMB. It may be that S&T delayed the submission to keep it more in line with the timelines for the development of the hardware and software for the system.

Since this is a new ICR there is no telling how long it will take OMB to approve the collection. It could range from a couple of days to months.

Two weeks in a row with both houses of Congress in Washington, what a concept. The hearing schedule is beginning to reflect the approach of the summer vacation period with lots of increased activity with seven hearings this week of potential interest to the chemical and cyber security communities. As I mentioned yesterday there will be a markup of HR 901; additionally there will be two cyber security hearings, a budget hearing, a rail security hearing, a suspicious activity reporting immunity hearing and the political favorite, a WMD hearing. There will also probably be a House Rules Committee hearing on the rule for HR 2219 that I mentioned last night.

Cyber Security

Two different committees will be looking at the Obama Administration’s cybersecurity proposal. On Tuesday the Subcommittee on Crime and Terrorism of the Senate Judiciary Committee will hold their hearing with witnesses scheduled from the Department of Justice, DHS-NPPD, and the National Institute of Standards and Technology.

On Friday the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee will hold their hearing on the subject. There is no witness list available yet for this hearing.

As I noted in an earlier blog, there are significant a control systems provisions in the President’s cybersecurity proposal, but that is no guarantee that they will even be mentioned in these hearings. The inclusion of NPPD and NIST witnesses does provide the possibility that this topic will be covered in the Senate hearing, but a lot will depend on the questioning from the Senators. Being a Judiciary Committee panel, I don’t hold out a lot of hope for the Senate hearing, but I do expect a better chance of substantive covereage of control systems security issues in Friday’s hearing.

Coast Guard Budget

The Oceans, Atmosphere, Fisheries, and Coast Guard Subcommittee of the Senate Commerce Committee will be holding an oversight and budget hearing on Thursday looking at the Coast Guard. This is kind of late in the season for a budget hearing, but the Senate is way behind the House in the budget process this year. I doubt that there will be much in the way of MTSA coverage in this hearing. No witness list is currently available, but we can certainly expect the Commandant to be on hand.

Rail Security

The Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on Wednesday looking at rail security operations. The recovery of information from the Bin Laden compound indicating an interest in attacking rail targets on the 9/11 anniversary is bringing some attention to this neglected area. If last week’s hearing before the Senate Commerce Committee is any indication, there will be no substantive discussion of the existence of a freight rail threat; but we can always hope. Those hopes are partially dashed by the fact that there is no railroad witness on the current witness list.

See Something Say Something

The Subcommittee on the Constitution of the House Judiciary Committee will be holding a hearing on HR 963, the See Something, Say Something Act of 2011, on Friday. This is bill introduced by the Judiciary Committee Chair to provide immunity to people making good-faith suspicious activity reports. There are no witnesses currently listed for this hearing.

WMD

Late last session Rep. King (R, NY) introduced HR 5057 that dealt with defenses against terrorist uses of weapons of mass destruction. King’s bill focused almost exclusively on nuclear and biological weapons to the exclusion of chemical weapons. That bill is apparently pending re-introduction and will be the subject of a hearing before the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of King’s Homeland Security Committee on Thursday.

In reviewing the bill I could find no specific mention of cyber security programs which is not unexpected due to the relatively low level of expenditures to be expected for such programs. There may be more information available in the Committee Report from the House Appropriations Committee (HR 112-110), but that report is not yet available from the GPO.

This bill may be taken up this week in the House, again under an open rule. The House Rules Committee has not yet set a date for their hearing to develop the rule for the consideration of this bill by the whole House.

Yesterday, the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) another advisory on a SCADA related systems with a buffer overflow vulnerability. This time it concerns three InduSoft applications to develop HMI, SCADA systems and embedded instrumentation solution and one or more of the applications may be bundled as third-party applications in SCADA systems.

Heap-based and stack-based vulnerabilities were identified that would provide a moderately skilled an opportunity to perform arbitrary code execution which could impact the SCADA production environment. A patch is available to fix this vulnerability.

These applications are not typically bought by control system users, but they may be bundled within a control system bought from some other vendor. Once again this points out the importance of a SCADA user knowing what components of other vendors are bundled within their system. In a perfect world the system vendor would automatically include a list of such bundled software in their system documentation provided to the buyer. In the real world the cyber security manager will likely have to request this information from the system vendor.

This week the House Homeland Security Committee will be conducting a full committee markup of HR 901, Chemical Facility Anti-Terrorism Security Authorization Act of 2011. The hearing will be held on Wednesday “subsequent days as may be necessary”. As currently written this bill is just a codification of the current CFATS authority as an amendment to the Homeland Security Act of 2002 with an extension of that authority until September 30th, 2018.

The Committee web site notes that an amendment in the form of a substitute will probably be offered by the bill’s sponsor, Rep. Lungren (R, CA). The only change that I can find in that amendment is in §2107 where the annual authorization rate is changed from $93 Million to $89.9 Million; the same figure that was included in the marked-up version of HR 908.

The comment on the web site that this might be a multiple day hearing may indicate that Chairman King (R, NY) is trying to craft a revision to this bill that might have a better chance of being considered and passed in the Senate. This might include provisions addressing one or more of the following issues:

Any of the above provisions would have to be carefully crafted to allow passage both in the House (where industry concerns about the provisions would have to be addressed) and in the Senate (where environmental and labor activists have substantially more influence). Industry desire for a long term extension of the CFATS authority may make a reasonable compromise on some of these issues possible.

Another factor that must be considered in the markup of this bill is the fact that there is an alternative bill (HR 908) reported by the Energy and Commerce Committee that also provides for a long term extension of the CFATS program. The House leadership will have to decide which bill to bring to the floor of the House for consideration. The chance of this bill being the one selected would probably be increased if a water treatment facility provision were added to the bill as this would ensure that the Energy and Commerce Committee would have some oversight responsibility for the CFATS program. This would be similar to the compromise reached last session on HR 2868.

The Senate bill extending the CFATS authorization (S 473) has not yet been brought up in Committee. This may be a case of the Senate waiting to see what the House approves before they consider their options. This is what happened in the last session.

Friday, June 17, 2011

This week both BNSF and UP have filed responses to the complaint Canexus Chemicals Canada initiated with the Surface Transportation Board (STB) about the transportation of chlorine from the Canexus facility in North Vancouver, BC to Kansas City, MO. As I noted in my initial blog on this issue, this is a TIH routing issue made complex by TIH routing regulations, PTC regulations and previous STB rules.

Background Information

Canexus produces chlorine gas at its chlor-alkali facility in North Vancouver, BC. It has customers for that chlorine in the Southeast United States. There is no single railroad that can provide delivery service of that chlorine from source to customer. Some of those customers receive delivery service from UP. Canexus had negotiated a delivery contract with UP for those customers with UP accepting the chlorine shipments at an interchange location in Kansas City, MO. BNSF has declined to provide service from the Northwest to Kansas City for that interchange; countering with a proposed interchange with UP in Washington or Oregon. Canexus maintains that BNSF has a common carrier obligation to provide that service to Kansas City.

Complexities

First issue, BNSF does not actually service the production facility in British Columbia. That initial rail service is provided by CN. BNSF does provide service from an interchange with CN in Canada, but CN also provides service directly to the Mid-Western United States where there is a potential interchange with UP at St. Paul, MN. Other non-BNSF interchange options include interline arrangements through CP. So, BNSF maintains that, with other options for the required service to customers in the Southeast United States, they should not be compelled to provide the requested service.

The second issue is the high-cost of TIH transport. BNSF notes that the liability issues associated with a potential chlorine release and the requirements for the installation of positive train control equipment on lines with TIH service both increase the costs of providing TIH service. BNSF notes that they are not currently able to charge TIH shippers rates that would cover these increased costs.

The third issue involved in this dispute is the regulatory requirement for railroads to conduct TIH route planning that minimizes the safety and security risks associated with such shipments.

In its response to the Boards requirement to respond to the Canexus complaint BNSF states:

“Normally, the originating carrier exercises that preference by selecting the long haul in order to maximize its revenue division and contribution. But in the case of TIH/PIH, the normal commercial incentive to maximize contribution is not always controlling. The risk of liability, and the increased capital and operating costs from transporting TIH/PIH traffic far outweigh the potential revenue contribution and therefore BNSF logically seeks to minimize its potential exposure by minimizing its length of haul.”

While not as clearly stated in the UP response to the same order, UP has attempted to shorten its segment of the chlorine transport by accepting an interchange at Kansas City instead of in Washington or Oregon by directly negotiating a delivery contract with Canexus.

BNSF has filed a motion with the Board to refer this dispute to a mediation panel as is typically used in disputes about selecting interchange locations. They note that if the Board so orders, it will voluntarily extend its current arrangements for chlorine shipments to Kansas City until the end of July.

Oral Arguments Ordered

Yesterday the STB issued a conditional decision calling for oral arguments to be presented on June 23rd. It will not hold those arguments if both UP and Canexus agree to the mediation proposed by BNSF. UP and Canexus have been ordered to respond to the mediation proposal by June 20th.

About Me

I spent 15 years in the US Army as an Infantry NCO. After getting out of the Army I started working in the chemical industry, getting my BSc Chemistry degree while working as a technician. I spent 12 years working as a process chemist in a specialty chemical company. I'm now working as a QA Manager in a specialty chemical manufacturing facility.